From owner-freebsd-security@FreeBSD.ORG  Thu Jan 29 14:21:12 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 427F3196
 for <freebsd-security@freebsd.org>; Thu, 29 Jan 2015 14:21:12 +0000 (UTC)
Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id B6973FFA
 for <freebsd-security@freebsd.org>; Thu, 29 Jan 2015 14:21:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t0TEKu0F037375;
 Fri, 30 Jan 2015 01:20:56 +1100 (EST)
 (envelope-from smithi@nimnet.asn.au)
Date: Fri, 30 Jan 2015 01:20:56 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: jungle Boogie <jungleboogie0@gmail.com>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-15:02.kmem
In-Reply-To: <CAKE2PDsC8dvx23H5DZ_b90F7PmPr3LB8kyw68SbuHgF4Hb+nkA@mail.gmail.com>
Message-ID: <20150130011402.P36378@sola.nimnet.asn.au>
References: <mailman.92.1422446402.71362.freebsd-security@freebsd.org>
 <20150128194011.2175B19F@hub.freebsd.org>
 <20150128211910.80082283DA18@rock.dv.isc.org>
 <54C966BF.9000803@rewt.org.uk> <54C9837C.8090704@akips.com>
 <CAKE2PDsC8dvx23H5DZ_b90F7PmPr3LB8kyw68SbuHgF4Hb+nkA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Cc: freebsd-security@freebsd.org, Nick Frampton <nick.frampton@akips.com>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jan 2015 14:21:12 -0000

On Wed, 28 Jan 2015 17:01:50 -0800, jungle Boogie wrote:
 > Hi Nick,
 > On Jan 28, 2015 4:56 PM, "Nick Frampton" <nick.frampton@akips.com> wrote:
 > >
 > > On 29/01/15 08:46, Joe Holden wrote:
 > >>
 > >> Really, how many SCTP users are there om the wild... maybe one?
 > >>
 > >> It shouldn't be in GENERIC at the very least!
 > >
 > >
 > > We use Netflow over SCTP in our network monitoring product, so it would
 > be a pain to have to build a custom kernel.
 > 
 > But also a pain to have an exploit when it could be prevented.

Are you vulnerable to an SCTP exploit if you're not using SCTP?

 > Its all about trade offs, right?

I seem to recall similar resistance to including IPv6 into GENERIC ..

It _would_ be good to know more about who's using SCTP, and for what 
usage cases it has tangible benefits over TCP, but I guess not here.

cheers, Ian